One Website not accessible - RB5009

I have this one website that I can’t access, it’s www.fussball.de a German website about amateur football.
If I switch off IPV6 on my Win11 PC, the page can be accessed, but as soon as I activate IPV6 again, the page times out.
I am attaching my corrected configuration of the RB5009, perhaps you will find a configuration error, although I feel that I can access all other pages on the Internet.
The various IPV6 test pages also show no problems.
Tried various browsers, always the same.
I am desperate and need your help.
your_config.rsc (49.9 KB)

I don’t see an attached configuration, but I’m willing to predict that if you compare yours to mine, you’ll find the relevant discrepancy.

Thx for answering so quickly, checked your linkand my config mostly matches the one described there. However, I have several vlans so I can’t stick to it completely.
I have attached my config to the initial post.
Pls note, I can reach IPV6 sites, only www.fussball.de is driving me crazy, at least it is noticeable on that website.
the output of ipv6/route/print gives me two entries for the Strandardgateway ::/0

DAv+ ::/0                         pppoe-WAN                                   1
DAg+ ::/0                         fe80::b68a:5fff:fe34:f1f8%pppoe-WAN         1
DAc  ::1/128                      lo                                          0

My article does indeed contain the necessary hint:

You might get away without the add-default-route=yes bit for simple setups, but if you follow my advice below to add a ULA, you create a situation where a given client might try to use its delegated ULA as the source address of IPv6 packets, which prevents Internet hosts from replying.

Each of your VLANs is using a ULA, and your DHCPv6 client config doesn’t set the GUA as the default route, giving this predictable effect.

Football always drives people crazy :slight_smile: :slight_smile: :slight_smile:

1 Like

Thank you for your help, it is much appreciated.
I have now set add-default-route=yes in the DHCPV6 client,

Here are the two outputs of /ipv6/route/print before and after the adjustment:
Before:

[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
     DST-ADDRESS              GATEWAY                              ROUTING-TABLE  DISTANCE
DAv+ ::/0                     pppoe-WAN                            main                  1
DAg+ ::/0                     fe80::b68a:5fff:fe34:f1f8%pppoe-WAN  main                  1
DAd  2a02:560:559d:4a00::/56                                       main                  1
DAc  2a02:560:5003:55a8::/64  pppoe-WAN                            main                  0
DAc  2a02:560:559d:4a00::/64  VLAN10-LAN                           main                  0
DAc  2a02:560:559d:4a01::/64  VLAN20-GUEST                         main                  0
DAc  2a02:560:559d:4a02::/64  VLAN30-SERVER                        main                  0
DAc  2a02:560:559d:4a03::/64  VLAN40-CAM                           main                  0
DAc  2a02:560:559d:4a04::/64  VLAN50-MANAGEMENT                    main                  0
DAc  2a02:560:559d:4a05::/64  VLAN60-PV                            main                  0
DAc  2a02:560:559d:4a06::/64  VLAN70-IOT                           main                  0
DAc  2a02:560:559d:4a07::/64  wireguard1                           main                  0
DAc  fd17:cafe:e5b6:10::/64   VLAN10-LAN                           main                  0
DAc  fd17:cafe:e5b6:20::/64   VLAN20-GUEST                         main                  0
DAc  fd17:cafe:e5b6:30::/64   VLAN30-SERVER                        main                  0
DAc  fd17:cafe:e5b6:40::/64   VLAN40-CAM                           main                  0
DAc  fd17:cafe:e5b6:50::/64   VLAN50-MANAGEMENT                    main                  0
DAc  fd17:cafe:e5b6:60::/64   VLAN60-PV                            main                  0
DAc  fd17:cafe:e5b6:70::/64   VLAN70-IOT                           main                  0
DAc  fd17:cafe:e5b6:200::/64  wireguard1                           main                  0
DAc  fe80::/64                VLAN20-GUEST                         main                  0
DAc  fe80::/64                VLAN30-SERVER                        main                  0
DAc  fe80::/64                VLAN10-LAN                           main                  0
DAc  fe80::/64                bridge1                              main                  0
DAc  fe80::/64                VLAN70-IOT                           main                  0
DAc  fe80::/64                VLAN60-PV                            main                  0
DAc  fe80::/64                VLAN40-CAM                           main                  0
DAc  fe80::/64                VLAN50-MANAGEMENT                    main                  0
DAc  fe80::/64                wireguard1                           main                  0
DAc  fe80::/64                ether8-WAN                           main                  0
DAc  fe80::/64                VLAN22-WAN                           main                  0
DAc  fe80::/64                pppoe-WAN                            main                  0
DAc  ::1/128                  lo                                   main                  0

after:

[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN, g - SLAAC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
     DST-ADDRESS              GATEWAY                              ROUTING-TABLE  DISTANCE
DAv+ ::/0                     pppoe-WAN                            main                  1
DAg+ ::/0                     fe80::b68a:5fff:fe34:f1f8%pppoe-WAN  main                  1
DAd+ ::/0                     fe80::b68a:5fff:fe34:f1f8%pppoe-WAN  main                  1
DAd  2a02:560:559d:4a00::/56                                       main                  1
DAc  2a02:560:5003:55a8::/64  pppoe-WAN                            main                  0
DAc  2a02:560:559d:4a00::/64  VLAN10-LAN                           main                  0
DAc  2a02:560:559d:4a01::/64  VLAN20-GUEST                         main                  0
DAc  2a02:560:559d:4a02::/64  VLAN30-SERVER                        main                  0
DAc  2a02:560:559d:4a03::/64  VLAN40-CAM                           main                  0
DAc  2a02:560:559d:4a04::/64  VLAN50-MANAGEMENT                    main                  0
DAc  2a02:560:559d:4a05::/64  VLAN60-PV                            main                  0
DAc  2a02:560:559d:4a06::/64  VLAN70-IOT                           main                  0
DAc  2a02:560:559d:4a07::/64  wireguard1                           main                  0
DAc  fd17:cafe:e5b6:10::/64   VLAN10-LAN                           main                  0
DAc  fd17:cafe:e5b6:20::/64   VLAN20-GUEST                         main                  0
DAc  fd17:cafe:e5b6:30::/64   VLAN30-SERVER                        main                  0
DAc  fd17:cafe:e5b6:40::/64   VLAN40-CAM                           main                  0
DAc  fd17:cafe:e5b6:50::/64   VLAN50-MANAGEMENT                    main                  0
DAc  fd17:cafe:e5b6:60::/64   VLAN60-PV                            main                  0
DAc  fd17:cafe:e5b6:70::/64   VLAN70-IOT                           main                  0
DAc  fd17:cafe:e5b6:200::/64  wireguard1                           main                  0
DAc  fe80::/64                VLAN20-GUEST                         main                  0
DAc  fe80::/64                VLAN30-SERVER                        main                  0
DAc  fe80::/64                VLAN10-LAN                           main                  0
DAc  fe80::/64                bridge1                              main                  0
DAc  fe80::/64                VLAN70-IOT                           main                  0
DAc  fe80::/64                VLAN60-PV                            main                  0
DAc  fe80::/64                VLAN40-CAM                           main                  0
DAc  fe80::/64                VLAN50-MANAGEMENT                    main                  0
DAc  fe80::/64                wireguard1                           main                  0
DAc  fe80::/64                ether8-WAN                           main                  0
DAc  fe80::/64                VLAN22-WAN                           main                  0
DAc  fe80::/64                pppoe-WAN                            main                  0
DAc  ::1/128                  lo                                   main                  0

It looks to me as if there is now a duplicate entry for the default gateway

That’s because you also have NDP set to accept RAs, which also has this effect. What’s new is that your clients should now be learning that the gateway’s GUA is the default route, where before they had the freedom to choose.

It is possible you might have to reboot the gateway to make everything come into proper alignment.

I happened to run into this very trouble about a day before you started this thread. I’m not guessing here; this is what fixed it for me.

okay, I switched this setting from “yes” to “yes if…”

now it looks like this

[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
     DST-ADDRESS              GATEWAY                              ROUTING-TABLE  DISTANCE
DAv+ ::/0                     pppoe-WAN                            main                  1
DAd+ ::/0                     fe80::b68a:5fff:fe34:f1f8%pppoe-WAN  main                  1
DAd  2a02:560:55a5:ad00::/56                                       main                  1
DAc  2a02:560:55a5:ad00::/64  VLAN10-LAN                           main                  0
DAc  2a02:560:55a5:ad01::/64  VLAN20-GUEST                         main                  0
DAc  2a02:560:55a5:ad02::/64  VLAN30-SERVER                        main                  0
DAc  2a02:560:55a5:ad03::/64  VLAN40-CAM                           main                  0
DAc  2a02:560:55a5:ad04::/64  VLAN50-MANAGEMENT                    main                  0
DAc  2a02:560:55a5:ad05::/64  VLAN60-PV                            main                  0
DAc  2a02:560:55a5:ad06::/64  VLAN70-IOT                           main                  0
DAc  2a02:560:55a5:ad07::/64  wireguard1                           main                  0
DAc  fd17:cafe:e5b6:10::/64   VLAN10-LAN                           main                  0
DAc  fd17:cafe:e5b6:20::/64   VLAN20-GUEST                         main                  0
DAc  fd17:cafe:e5b6:30::/64   VLAN30-SERVER                        main                  0
DAc  fd17:cafe:e5b6:40::/64   VLAN40-CAM                           main                  0
DAc  fd17:cafe:e5b6:50::/64   VLAN50-MANAGEMENT                    main                  0
DAc  fd17:cafe:e5b6:60::/64   VLAN60-PV                            main                  0
DAc  fd17:cafe:e5b6:70::/64   VLAN70-IOT                           main                  0
DAc  fd17:cafe:e5b6:200::/64  wireguard1                           main                  0
DAc  fe80::/64                VLAN50-MANAGEMENT                    main                  0
DAc  fe80::/64                VLAN60-PV                            main                  0
DAc  fe80::/64                VLAN70-IOT                           main                  0
DAc  fe80::/64                bridge1                              main                  0
DAc  fe80::/64                VLAN20-GUEST                         main                  0
DAc  fe80::/64                VLAN10-LAN                           main                  0
DAc  fe80::/64                VLAN30-SERVER                        main                  0
DAc  fe80::/64                VLAN40-CAM                           main                  0
DAc  fe80::/64                wireguard1                           main                  0
DAc  fe80::/64                VLAN22-WAN                           main                  0
DAc  fe80::/64                ether8-WAN                           main                  0
DAc  fe80::/64                pppoe-WAN                            main                  0
DAc  ::1/128                  lo                                   main                  0

will reboot the rb5009 now and will check.

fussball.de worked for a few minutes after the reboot, but now it doesn’t work again, crazy.

That amounts to “no” because as you see from your own screenshot, IPv6 forwarding is enabled.

I don’t like that setting at all. It’s confusing to the point of being near-magical. Say yes, or say no. Be explicit.

So I should set it to yes or no?

A further detail: I can get to that web site just fine from here, but then, I can’t get it to admit to having an IPv6 address at all.

$ dig -t AAAA fussball.de @8.8.8.8           
…
;fussball.de.			IN	AAAA

It is possible to get different answers depending on where the client is coming from, and sports sites are famous for doing that.

Still, I have to wonder if you aren’t running into a different issue than IPv6 SLAAC routing entirely. A content-filtering firewall that’s trying to get you to stop browsing football sites and get back to work, perhaps?

Because your WAN connection is using PPPoE which is point-to-point, the gateway is always the other peer, and you should neither accept router advertisements (keep the setting at “yes if forwarding disabled”), nor set “add default route” to “yes” for DHCPv6 Client. Set it to “no” and you’ll only have one default route with pppoe-WAN as gateway left.

Your issue that only happens with one website might be MTU related. Because you are using PPPoE for your WAN and I don’t see max-mru=1500 max-mtu=1500 in your /interface pppoe-client instance, the actual MTU of the WAN connection is probably smaller than 1500. In that case:

  • Either try to set max-mru=1500 max-mtu=1500 on pppoe-WAN to see if you can achieve an Actual MTU value of 1500 with RFC 4638.
  • If MTU=1500 is not possible on pppoe-WAN (RFC 4638 not supported by your ISP), modify the current IPv6 → ND default instance so that it announces an MTU value equals to the Actual MTU value of pppoe-WAN (for example 1492).

That domain redirects to www.fussball.de and that subdomain does have an AAAA record.

1 Like

Indeed, through three levels of CDN CNAMEs. :roll_eyes:

I thank you for the gentle stroke of the clue-bat.

I set max-mru=1500 max-mtu=1500 on pppoe-WAN but it remains on an actual MTU of 1492.

Do you mean this setting?

After changing this it looks like this:

[simon@MikroTik-RB5009] > /ipv6/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
    DST-ADDRESS              GATEWAY            ROUTING-TABLE  DISTANCE
DAv ::/0                     pppoe-WAN          main                  1
DAd 2a02:560:55a6:3300::/56                     main                  1
DAc 2a02:560:55a6:3300::/64  VLAN10-LAN         main                  0
DAc 2a02:560:55a6:3301::/64  VLAN20-GUEST       main                  0
DAc 2a02:560:55a6:3302::/64  VLAN30-SERVER      main                  0
DAc 2a02:560:55a6:3303::/64  VLAN40-CAM         main                  0
DAc 2a02:560:55a6:3304::/64  VLAN50-MANAGEMENT  main                  0
DAc 2a02:560:55a6:3305::/64  VLAN60-PV          main                  0
DAc 2a02:560:55a6:3306::/64  VLAN70-IOT         main                  0
DAc 2a02:560:55a6:3307::/64  wireguard1         main                  0
DAc fd17:cafe:e5b6:10::/64   VLAN10-LAN         main                  0
DAc fd17:cafe:e5b6:20::/64   VLAN20-GUEST       main                  0
DAc fd17:cafe:e5b6:30::/64   VLAN30-SERVER      main                  0
DAc fd17:cafe:e5b6:40::/64   VLAN40-CAM         main                  0
DAc fd17:cafe:e5b6:50::/64   VLAN50-MANAGEMENT  main                  0
DAc fd17:cafe:e5b6:60::/64   VLAN60-PV          main                  0
DAc fd17:cafe:e5b6:70::/64   VLAN70-IOT         main                  0
DAc fd17:cafe:e5b6:200::/64  wireguard1         main                  0
DAc fe80::/64                VLAN50-MANAGEMENT  main                  0
DAc fe80::/64                VLAN60-PV          main                  0
DAc fe80::/64                VLAN70-IOT         main                  0
DAc fe80::/64                bridge1            main                  0
DAc fe80::/64                VLAN20-GUEST       main                  0
DAc fe80::/64                VLAN10-LAN         main                  0
DAc fe80::/64                VLAN30-SERVER      main                  0
DAc fe80::/64                VLAN40-CAM         main                  0
DAc fe80::/64                wireguard1         main                  0
DAc fe80::/64                VLAN22-WAN         main                  0
DAc fe80::/64                ether8-WAN         main                  0
DAc fe80::/64                pppoe-WAN          main                  0
DAc ::1/128                  lo                 main                  0

Yes, that setting. Normally with IPv6 the hosts should perform Path MTU Discovery with the help of ICMPv6 (which your firewall is correctly not blocking) but sometime some hops on the way might not behave correctly and break it. In that case you can tell your LAN clients to reduce the MTU for IPv6 (IPv4 is not affected) by advertising that value together with RA.

Yes, that is normally what the default route should look like when you use PPPoE for your WAN.

After setting MTU in IPV6-ND to 1492 fussball.de is reachable again.
I hope that the site remains accessible.
Many thanks to all of you in the meantime, it is very much appreciated.

I will definitely be in touch again.